Method, software and apparatus for computing discrete logarithms modulo a prime

ABSTRACT

A decoding apparatus having a non-transient memory in which is stored an electromagnetic signal representative of data which were encrypted relying on the difficulty of computing discrete logarithms. The decoding apparatus has a computer in communication with the memory that decodes the encrypted data in the memory by computing the data&#39;s discrete logarithm. The decoding apparatus has a display on which the decoded encrypted data are displayed by the computer. A method for decoding.

CROSS-REFERENCE TO RELATED APPLICATIONS

This is a continuation-in-part of U.S. patent application Ser. No.14/886,404 filed Oct. 19, 2015, which claims priority from U.S.provisional application Ser. No. 62/181,322 filed on Jun. 18, 2015, bothof which are incorporated by reference herein.

I. FIELD OF THE INVENTION

The present invention considers the exponential congruencea ₀ ^(x) ≡y ₀(mod p)  (1)where p is prime and a₀ is a primitive root modulo p. Since a₀ isprimitive, x and y₀ are in a one-to-one correspondence for integervalues in the range 1≤x, y₀≤p−1 [3]. Let G denote the set of integers{1, 2, . . . , p−1} and let |G| denote their number. Given p and a₀ andgiven y₀ in G, it is desired to find x modulo p−1. The integer x isusually referred to as the discrete logarithm of y₀ in base a₀ modulo p.(As used herein, references to the “present invention” or “invention”relate to exemplary embodiments and not necessarily to every embodimentencompassed by the appended claims.)

BACKGROUND OF THE INVENTION

Pohlig and Hellman discussed the significance of this problem forcryptographic systems [3]. It was concluded by Pohlig and Hellman that,if p−1 has only small prime factors, x can be computed in a time of theorder of log² p. However, if p−1 has a large prime factor p′, the searchfor x requires a time of the order p′ ·log p and may be untraceable. Asan illustration, Pohlig and Hellman presented two large primes of theform p=2·p′+1, where p′ is also prime and wherep′=2¹³·5·7·11·13·17·19·23·29·31·37·41·43·47·530.59+1  (2)orp′=2¹²¹·5²·7²·11²·13·17·19·23·29·31·37·41·43·47·53·59+1.  (3)

In general, let p=2·p′+1, where p′ is prime andp′−1=2^(ε) ⁰ ·q ₁ ^(ε) ¹ ·q ₂ ^(ε) ² · . . . ·q _(i) ^(ε) ^(i) · . . .·q _(h) ^(ε) ^(h) ,  (4)where ε₀≥1 and, for 1≤i≤h, q₁ denotes an odd prime and ε_(i)>0. Also,for 1≤i<h, 2<q_(i)<q_(i+1).NOTE 1: Pohlig and Hellman observed that q₁≠3. In factp=2·p′+1=2·(p′−1)+3. Since p is prime, it must be gcd (3, p′−1)=1.NOTE 2: Let X denote the set of elements of G which are relatively primeto p−1 and let A denote the set of primitive roots modulo p. Then|X|=|A|=φ(p−1), where φ(n) denotes the Euler totient function.NOTE 3: The elements of X form a commutative (abelian) group under theoperation of multiplication modulo p−1. An integer m≥1 has a primitiveroot if and only if m=1, 2, 4, p^(d) or 2·p^(d), where p is prime numberand a is a positive integer [1, p. 211]. When X is cyclic, there existintegers p which are primitive roots of X modulo p−1. When primitiveroots of X exist, let Y denote the set of elements of X which areprimitive roots of X modulo p−1.NOTE 4: Section VIII below shows that, when p′−1 can be described as in(4), X is cyclic only if ε₀<3

BRIEF SUMMARY OF THE INVENTION

The present invention introduces an algorithm which, when p=2·p′+1, p′is prime and p′−1 contains only small prime factors, produces thesolution of (1) in a time of the order of log log p·log² p.

The present invention pertains to a decoding apparatus. The decodingapparatus comprises a non-transient memory in which is stored anelectromagnetic signal representative of data which were encryptedrelying on the difficulty of computing discrete logarithms. The decodingapparatus comprises a computer in communication with the memory thatdecodes the encrypted data in the memory by computing the data'sdiscrete logarithm. The decoding apparatus comprises a display on whichthe decoded encrypted data are displayed by the computer.

The present invention pertains to a method for processing anelectromagnetic signal representative of encrypted data which wereproduced relying on the difficulty of computer discrete logarithms,comprising a first computer. The method comprises the steps of storingthe encrypted data in a non-transient memory of a second computer. Thereis the step of performing with the second computer in communication withthe memory the computer-generated steps of decoding the encrypted datain the memory by computing the data's discrete logarithms, anddisplaying on a display the decoded data.

The present invention pertains to a computer program stored in anon-transient memory for decoding an electromagnetic signal which isencrypted relying on the difficulty of computing discrete logarithms.The program has the computer-generated steps of storing the encrypteddata in a non-transient memory. There is the step of decoding theencrypted data in the memory by computing the data's discretelogarithms. There is the step of displaying on a display the decodeddata.

The present invention pertains to a method for reducing the complexityof an exponential congruence, preferably for decoding, which is definedmodulo p, where p=2·p′+1, p′ is also a prime and p′−1 contains onlyfactors which are smaller than 100,000. The method comprises the stepsof executing with a computer a sequence of reversible transformationssupported by a non-transient memory in such a way that the exponentialcongruence modulo p is restated as a problem involving new relationshipsmodulo p and a concurrent independent congruence modulo p−1. There isthe step of reporting the restated problem on a display.

The present invention pertains to a method for decoding. The methodcomprises the steps of selecting with a computer primitives ofsub-groups of a group stored in a non-transient memory, where the groupis defined modulo φ(p−1) in such a way that an exponent of any oneprimitive is independent on an exponent of any other primitive, thusreducing the complexity of a search for such exponents to a number ofoperations of the order of a sum of such exponents as opposed to theirproduct. There is the step of reporting the exponents on a display.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

In the accompanying drawings, the preferred embodiment of the inventionand preferred methods of practicing the invention are illustrated inwhich:

FIG. 1 is a block diagram of the apparatus of the claimed invention.

FIG. 2 is a representation of ρ₁ ^(x) ¹ ·ρ₂ ^(x) ² (mod 70) usingorthogonal primitives.

DETAILED DESCRIPTION OF THE INVENTION

Referring now to the drawings wherein like reference numerals refer tosimilar or identical parts throughout the several views, and morespecifically to FIG. 1 thereof, there is shown a decoding apparatus 10.The decoding apparatus 10 comprises a non-transient memory 14 in whichis stored an electromagnetic signal representative of data which wereencrypted relying on the difficulty of computing discrete logarithms.The decoding apparatus 10 comprises a computer 12 in communication withthe memory 14 that decodes the encrypted data in the memory 14 bycomputing the data's discrete logarithm. The decoding apparatus 10comprises a display 18 on which the decoded encrypted data are displayedby the computer 12.

The computer 12 may reduce the complexity of an exponential congruencewhich is defined modulo p, where p=2·p′+1, p′ is also a prime and p′−1contains only factors which are smaller than 100,000, and executes asequence of reversible transformations supported by the non-transientmemory 14 in such a way that the exponential congruence modulo p isrestated as a problem involving new relationships modulo p and aconcurrent independent congruence modulo p−1. The computer 12 may selectprimitives of sub-groups of a group stored in the non-transient memory14, where the group is defined modulo φ(p−1) in such a way that anexponent of any one primitive is independent on an exponent of any otherprimitive, thus reducing the complexity of a search for such exponentsto a number of operations of the order of a sum of such exponents asopposed to their product.

The present invention pertains to a method for processing anelectromagnetic signal representative of encrypted data which wereproduced relying on the difficulty of computing discrete logarithms. Themethod comprises the steps of producing the electromagnetic signal by afirst computer 12. There is the step of providing the signal to a secondcomputer 22 through an input 20 of the second computer 22. The input 20can be a keyboard in communication with the second computer 22 or amemory port, such as a USB port that receives a flash drive or a CDreader that receives a CD with the signal; or the input 20 can be anetwork interface card in communication with the second computer 22having a network port which is in communication with a network 24 overwhich the signal is transmitted from the first computer 12. The secondcomputer 22 obtains the signal from the network 24 through the input 20of the second computer 22. There is the step of storing the encrypteddata in a non-transient memory 14 of a second computer 22. There is thestep of performing with the second computer 22 in communication with thememory 14 the computer-generated steps of decoding the encrypted data inthe memory 14 by computing the data's discrete logarithms, anddisplaying on a display 18 the decoded data.

The performing step may include the steps of reducing the complexity ofan exponential congruence which is defined modulo p, where p=2·p′+1, p′is also a prime and p′−1 contains only factors which are smaller than100,000. There may be the step of executing with the computer a sequenceof reversible transformations supported by a non-transient memory 14 insuch a way that the exponential congruence modulo p is restated as aproblem involving new relationships modulo p and a concurrentindependent congruence modulo p−1. There may be the step of reportingthe restated problem on a display 18. The performing step may includethe step of selecting with the computer primitives of sub-groups of agroup stored in the non-transient memory 14, where the group is definedmodulo φ(p−1) in such a way that an exponent of any one primitive isindependent on an exponent of any other primitive, thus reducing thecomplexity of a search for such exponents to a number of operations ofthe order of a sum of such exponents as opposed to their product.

The present invention pertains to a computer program 16 stored in anon-transient memory 14 for decoding an electromagnetic signal which isencrypted relying on the difficulty of computing discrete logarithms.The program has the computer-generated steps of storing the encrypteddata in a non-transient memory 14. There is the step of decoding theencrypted data in the memory 14 by computing the data's discretelogarithms. There is the step of displaying on a display 18 the decodeddata.

The decoding step may include the steps of reducing the complexity of anexponential congruence which is defined modulo p, where p=2·p′+1, p′ isalso a prime and p′−1 contains only factors which are smaller than100,000. There may be the step of executing with the computer a sequenceof reversible transformations supported by a non-transient memory 14 insuch a way that the exponential congruence modulo p is restated as aproblem involving new relationships modulo p and a concurrentindependent congruence modulo p−1.

The decoding step may include the steps of selecting with the computerprimitives of sub-groups of a group stored in the non-transient memory14, where the group is defined modulo (p−1) in such a way that anexponent of any one primitive is independent on an exponent of any otherprimitive, thus reducing the complexity of a search for such exponentsto a number of operations of the order of a sum of such exponents asopposed to their product.

The present invention pertains to a method for reducing the complexityof an exponential congruence, preferably for decoding, which is definedmodulo p, where p=2·p′+1, p′ is also a prime and p′−1 contains onlyfactors which are smaller than 100,000. The method comprises the stepsof executing with a computer a sequence of reversible transformationssupported by a non-transient memory 14 in such a way that theexponential congruence modulo p is restated as a problem involving newrelationships modulo p and a concurrent independent congruence modulop−1. There is the step of reporting the restated problem on a display18.

The present invention pertains to an apparatus 10 for reducing thecomplexity of an exponential congruence, preferably for decoding, whichis defined modulo p, where p=2·p′+1, p′ is also a prime and p′−1contains only factors which are smaller than 100,000. The apparatus 10comprises a non-transient memory 14. The apparatus 10 comprises acomputer in communication with the non-transient memory 14 whichexecutes a sequence of reversible transformations supported by thenon-transient memory 14 in such a way that the exponential congruencemodulo p is restated as a problem involving new relationships modulo pand a concurrent independent congruence modulo p−1. The apparatus 10comprises a display 18 on which the restated problem is reported.

The present invention pertains to a computer program 16 stored in anon-transient memory 14 for reducing the complexity of an exponentialcongruence, preferably for decoding, which is defined modulo p, wherep=2·p′+1, p′ is also a prime and p′−1 contains only factors which aresmaller than 100,000. The program comprises the computer generated stepsof executing a sequence of reversible transformations supported by anon-transient memory 14 in such a way that the exponential congruencemodulo p is restated as a problem involving new relationships modulo pand a concurrent independent congruence modulo p−1. There is the step ofreporting the restated problem on a display 18.

The present invention pertains to a method for decoding. The methodcomprises the steps of selecting with a computer primitives ofsub-groups of a group stored in a non-transient memory 14, where thegroup is defined modulo φ(p−1) in such a way that an exponent of any oneprimitive is independent on an exponent of any other primitive, thusreducing the complexity of a search for such exponents to a number ofoperations of the order of a sum of such exponents as opposed to theirproduct. There is the step of reporting the exponents on a display 18.

The present invention pertains to a computer program 16 stored in anon-transient memory 14 for decoding. The program comprises the computergenerated steps of selecting primitives of sub-groups of a group storedin a non-transient memory 14, where the group is defined modulo φ(p−1)in such a way that an exponent of any one primitive is independent on anexponent of any other primitive, thus reducing the complexity of asearch for such exponents to a number of operations of the order of asum of such exponents as opposed to their product. There is the step ofreporting the exponents on a display 18.

The present invention pertains to an apparatus 10 for decoding. Theapparatus 10 comprises a non-transient memory 14. The apparatus 10comprises a computer in communication with the memory 14 which selectsprimitives of sub-groups of a group stored in the non-transient memory14, where the group is defined modulo φ(p−1) in such a way that anexponent of any one primitive is independent on an exponent of any otherprimitive, thus reducing the complexity of a search for such exponentsto a number of operations of the order of a sum of such exponents asopposed to their product. The apparatus 10 comprises a display 18 incommunication with the computer on which the exponents are reported.

In the operation of the invention, the following is a description of thesolution of (1).

II. THE CASE WHEN ε₀−1. A RESTATEMENT 1) Step One. Definition of“Superprimitives”

In general in (1) a₀ is not a primitive root of X modulo p−1. It isconvenient to restate (1) in such a way that on the LHS of (1) a₀ bereplaced by a primitive of X modulo p−1.

If ρ denotes a primitive of X modulo p−1, consider the process ofraising both sides of (1) by ρ_(l). As l increases, a₀ ^(ρ) ^(l) modulop traces an orbit of primitives modulo p.

If p is large, and if p=2·p′+1, where p′ is also prime, approximatelyhalf of the elements of G are elements of this orbit [2, p. 269].

For some integer {tilde over (l)}, a₀ ^(p) ^({tilde over (l)}) is also aprimitive of X modulo p−1. In this case, define

$\begin{matrix}\left\{ {\begin{matrix}{a_{0}^{\rho^{\overset{\_}{l}}} \equiv {a\;\left( {{mod}\mspace{14mu} p} \right)}} \\{y_{0}^{\rho^{\overset{\_}{l}}} \equiv {y\;\left( {{mod}\mspace{14mu} p} \right)}}\end{matrix}.} \right. & (5)\end{matrix}$Thena ^(x) ≡y(mod p).  (6)

An integer which is a primitive root of p and also a primitive of Xmodulo p−1 will be referred to as a superprimitive of p.

Table I shows the superprimitives of a set of small primes (ε₀≤2).

Table II shows some relevant variables for such primes.

TABLE I p Superprimitives of p 11 7 23 7, 17, 19 47 5, 11, 15, 19, 33,43 59 11, 31, 37, 39, 43, 47, 55 107 5, 21, 31, 45, 51, 55, 65, 67, 71,73, 103 167 5, 13, 15, 35, 39, 43, 45, 53, 55, 67, 71, 73, 79, 91, 101,103, 105, 117, 125, 129, 135, 139, 143, 145, 149, 155, 159, 163 263 29,57, 67, 85, 87, 97, 115, 119, 127, 130, 139, 141, 161, 171, 185, 197,213, 219, 227, 229, 237, 241, 247, 251, 255, 257, 259 347 5, 7, 17, 19,45, 63, 65, 69, 79, 91, 97, 101, 103, 111, 123, 125, 141, 145, 153, 155,165, 171, 175, 191, 193, 203, 215, 217, 221, 223, 231, 239, 245, 247,283, 301, 307, 335, 343, 359 7, 21, 35, 53, 63, 71, 97, 103, 105, 109,113, 119, 137, 143, 157, 159, 163, 167, 175, 189, 197, 209, 211, 213,223, 251, 257, 263, 265, 269, 271, 277, 291, 293, 299, 309, 311, 313,315, 319, 327, 329, 339, 341, 343, 349, 353, 355 383 33, 35, 47, 53, 61,83, 89, 91, 95, 99, 105, 111, 123, 127, 131, 141, 145, 151, 157, 167,179, 181, 183, 187, 233, 247, 249, 253, 267, 285, 297, 307, 315, 337,355, 359, 365, 367, 369, 379 479 13, 19, 37, 39, 41, 43, 47, 53, 57, 59,65, 79, 95, 117, 119, 123, 129, 143, 149, 159, 171, 177, 179, 185, 191,205, 209, 223, 227, 235, 237, 265, 281, 285, 295, 317, 325, 333, 351,353, 357, 369, 379, 387, 391, 395, 423, 429, 433, 447, 449, 451, 461,463, 467, 469, 473, 475 503 19, 29, 37, 53, 55, 57, 71, 87, 107, 109,111, 127, 133, 137, 139, 159, 163, 165, 167, 191, 193, 203, 213, 215,239, 269, 277, 295, 305, 307, 313, 321, 327, 333, 341, 347, 349, 371,381, 385, 399, 409, 417, 419, 437, 453, 457, 461, 467, 471, 475, 479,481, 485, 487, 489, 495, 499 587 5, 11, 13, 19, 23, 41, 45, 85, 99, 103,105, 111, 117, 125, 127, 131, 139, 157, 171, 173, 183, 187, 207, 213,215, 221, 227, 231, 241, 245, 251, 259, 265, 263, 273, 275, 291, 295,321, 323, 325, 327, 335, 337, 341, 365, 367, 369, 373, 391, 399, 403,405, 415, 427, 435, 467, 473, 475, 483, 487, 497, 523, 539, 541, 557,559, 583

TABLE II p |A| = |X| |Y| |A ∩ Y| |A|/(A ∩ Y) 11 4 2 1 4.0000 23 10 4 33.3333 47 22 10 6 3.6666 59 28 12 7 4.0000 107 52 24 11 4.7273 167 82 4028 2.9286 263 130 48 26 5.0000 347 172 84 39 4.4103 359 178 88 48 3.7083383 190 72 40 4.7500 479 238 96 58 4.1034 503 250 100 58 4.3103 587 292144 68 4.2941NOTE 1: If ε₀≤2, X is cyclic and there exist an integer ρ which is aprimitive root of X modulo p−1. If p is large, to determine ρ it issufficient to select any random integer and to verify that a) ρ is anelement of X, which means that it is relatively prime to p−1, and b) ρis an element of Y, which means that it is relatively prime toφ(p−1)=p′−1. The process of producing ρ should not be long, because, ifp is large, the probability that two integers be prime to one another is6/π² [2, p. 269]. Thus, the probability that an integer chosen at randombe prime to p−1 and p′−1 is approximately (6/π²)² or 1/2.7055.NOTE 2: The ratio |A|/|(A∩Y)| is relevant because it is related to thenumber of trials which should be expected when is employed in the searchfor a.NOTE 3: The ratio |A|/|(A∩Y)| may grow when p increases. As an example,when p=6466463=2·p′+1 and p′=2·5·7·11·13·17·19+1, |A|/|A∩Y|=7.7931.NOTE 4: Comparing the data for p₂=6466463 and p₁=587, observe that, whenp is replaced by p₂, the ratio |A|/|A∩Y| is multiplied by a factor of7.7931/4.2941, which is less than 2, while 6466463 is greater than 587².

2) Step Two

In general in (6) y is not a primitive root modulo p. It is convenientto restate (6) in such a way that the RHS of (6) be a primitive modulop. This can be accomplished by multiplying both sides of (6) by a, asufficient number of times until the desired condition is satisfied. Ifafter 7′-iterations this condition is satisfied, let

$\begin{matrix}\left\{ {\begin{matrix}{b \equiv {{a^{\overset{\sim}{r}} \cdot y}\;\left( {{mod}\mspace{14mu} p} \right)}} \\{s \equiv {x + {\overset{\sim}{r}\mspace{11mu}\left( {{mod}\mspace{14mu}\left( {p - 1} \right)} \right)}}}\end{matrix}.} \right. & (7)\end{matrix}$Thena ^(s) ≡b(mod p).  (8)

After this restatement the search for x is conducted in a smaller, morestructured environment. Since b is a primitive modulo p and a is aprimitive of X modulo p−1, s is relative prime to p−1 and can berepresented as follows

$\begin{matrix}\left\{ {\begin{matrix}{s \equiv {a^{t}\left( {{mod}\left( {p - 1} \right)} \right)}} \\{a^{a^{t}} \equiv {b\left( {{mod}\mspace{20mu} p} \right)}}\end{matrix},} \right. & (9)\end{matrix}$where t denotes an integer and 0≤t<φ(p−1).

3) Step Three

Consider the process of raising the second of (9) to a^(u) modulo p. Letd denote the least positive residue modulo p of the corresponding RHS of(9). As u increases, the integer d describes an orbit of primitivesmodulo p. It is desired that d be also a primitive of X modulo p−1. If,after L operations this condition is satisfied, define

$\begin{matrix}{a^{a^{\upsilon}} \equiv {d\left( {{mod}p} \right)}} & (10)\end{matrix}$where

$\begin{matrix}\left\{ {\begin{matrix}{\upsilon \equiv {t + {\overset{\sim}{u}\;\left( {{mod}\mspace{14mu}\varphi\mspace{14mu}\left( {p - 1} \right)} \right)}}} \\{d \equiv {b^{a^{\overset{\_}{\pi}}}\left( {{mod}\mspace{14mu} p} \right)}}\end{matrix}.} \right. & (11)\end{matrix}$

Consider the integer d^(d) ^(w) , where w denotes an integer. Since d isa primitive modulo p and a primitive of X modulo p−1, when w variesd^(d) ^(w) traces an orbit which contains all the primitives modulo p,including a.

Therefore, there does exist an integer w such that

$\begin{matrix}{a \equiv {{d^{d^{w}}\left( {{mod}p} \right)}.}} & (12)\end{matrix}$

4) Conclusion

The exponential congruence (1) is referred to as a “one-way”transaction, meaning that, when x is known, it is easy to compute a₀^(x) modulo p, while, when y₀ is known, the computation of x may beuntractable. The restatement introduced by this section produces thecongruences (10) and (12), which have similar structure and comparablecomplexity.

In order to determine the relationship between υ and w, raise (12) toa^(υ) modulo p. It will be

$\begin{matrix}{a^{a^{\upsilon}} \equiv {{d^{a^{\upsilon} \cdot d^{w}}\left( {{mod}p} \right)}.}} & (13)\end{matrix}$whence, by (10),a ^(υ) ·d ^(w)=1(mod p−1)  (14)ora ^(υ) ≡d ^(−w)(mod p−1).  (14)As a conclusion: υ and w are exponents of known superprimitives of p, aand d, respectively. The integers a^(υ) and d^(w) are related in acongruence which is defined modulo p−1.NOTE 1: In general, given (1), the integers a and d which result fromthe proposed restatements are not unique.NOTE 2: In principle, it would be possible to explore the case when a isa superprimitive of p and p−1. As an example, 19 is a superprimitive of47 and 23. However, not all primes have superprimitives modulo p andmodulo p−1.

III. ORTHOGONAL PRIMITIVES WHEN ε₀=1

Refer to (15). Let V denote the set of integers υ and w (1≤υ, w≤p′−1)which are candidate solutions of (10), (12), and (15) and let |V| denotetheir number.

A) It is desired to represent Vas the direct product of distinct subsetsof T; each one associated with one of the factors (q_(i) ^(ε) ¹ or 2^(ε)⁰ ) of p′−1.

B) It is desired to partition and process independently thecorresponding sets of candidate solutions.

To reach these aims:

A) The number of significant candidate elements associated with each ofsuch sets is φ(q_(i) ^(ε) ^(i) ). Then the total number of candidateelements, say |V|, would be

$\begin{matrix}\begin{matrix}{{V} = {\varphi\left( {p^{\prime} - 1} \right)}} \\{= {2^{ɛ_{0} - 1} \cdot {\prod\limits_{i = 1}^{h}\;{{\varphi\left( q_{i}^{ɛ_{\iota}} \right)}.}}}}\end{matrix} & (16)\end{matrix}$

The candidate elements associated to φ(q_(i) ^(ε) ^(i) ), say ρ_(i) ^(υ)^(i) , are relatively prime to q_(i) and can be represented as theelements of a cyclic group having ρ_(i) as its generator. Notice that,thus far, nothing has been stated concerning the divisibility of ρ_(i)by q_(j) when i≠j. B) Consider the case when υ and w are represented asthe direct product of their component subgroups. In the case when ε₀=1,ε₀−1=0. In order to process independently the cyclic subsets of V,consider the case when the primitive of the cycle i is defined asfollows:

$\begin{matrix}\begin{matrix}{\rho_{i} = {1 + {\lambda_{i} \cdot {{\varphi\left( {p - 1} \right)}/q_{i}^{ɛ_{\iota}}}}}} \\{{= {\sigma_{i} + {\mu_{i} \cdot q_{i}^{ɛ_{\iota}}}}},}\end{matrix} & (17)\end{matrix}$where σ_(i) denotes any primitive modulo q_(i) and (λ_(i), μ_(i))denotes a pair of integers. Given σ_(i), the pair (λ_(i),μ_(i)) can beany one of the solution pairs of the following:σ_(i)−1+μ_(i) ·q _(i) ^(ε) ^(i) =λ_(i)·φ(p−1)/q _(i) ^(ε) ^(i) .  (18)Given any solution pair ({tilde over (λ)}_(i), {tilde over (μ)}_(i)),its substitution into (17) produces ρ_(i) modulo φ(p−1).After this restatement, ρ_(i) is relatively prime to φ(p−1).

Consider the case when p′−1 has a structure of the form (2) or (3), thatis

a) 5 is the smallest odd prime divisor of p′−1, and

b) each divisor q_(i) is the smallest odd prime greater than q_(i−1).

Under these conditions, all the odd prime divisors of φ(p′−1), with theexception of 3, are also divisors of φ(p−1). It is possible to selectσ_(i) in such a way that ρ_(i) is not a multiple of 3. In this case,p_(i) ^(υ) ^(i) is relatively prime with φ(p−1) and φ(p′−1).

Thus, when p′−1 has the structure of (8) and (10) and υ is relativelyprime with φ(p−1) and 3, it is possible to represent υ and w as follows

$\begin{matrix}\left\{ {\begin{matrix}{\upsilon \equiv {\prod\limits_{i = 1}^{h}\;{\rho_{i}^{\upsilon_{\iota}}\left( {{mod}\mspace{14mu}{\varphi\left( {p - 1} \right)}} \right)}}} \\{\overset{.}{w} \equiv {\prod\limits_{i = 1}^{h}\;{\rho_{i}^{w_{\iota}}\left( {{mod}\mspace{14mu}{\varphi\left( {p - 1} \right)}} \right)}}}\end{matrix},} \right. & (19)\end{matrix}$where υ_(i) and w_(i) denote integers defined modulo φ(e).It will be

$\begin{matrix}\left\{ {\begin{matrix}{{\frac{\varphi\left( {p - 1} \right)}{q_{i}^{ɛ_{\iota}}} \cdot \rho_{j}} \equiv {\frac{\varphi\left( {p - 1} \right)}{q_{i}^{ɛ_{\iota}}}\left( {{mod}\mspace{14mu}{\varphi\left( {p - 1} \right)}} \right)}} & {{{for}\mspace{14mu} i} \neq j} \\{{\frac{\varphi\left( {p - 1} \right)}{q_{i}^{ɛ_{\iota}}} \cdot \rho_{j}} \equiv {\frac{\varphi\left( {p - 1} \right)}{q_{i}^{ɛ_{\iota}}} \cdot {\sigma_{j}\left( {{mod}\mspace{14mu}{\varphi\left( {p - 1} \right)}} \right)}}} & {{{for}\mspace{14mu} i} = j}\end{matrix}.} \right. & (20)\end{matrix}$

The congruences (20) define the orthogonality between ρ_(i) and ρ_(j),for i≠j, and validate the definition of ρ_(i) offered by (17).

Notice that the definitions (17) imply that

ρ_(i)^(φ(q_(i)^(ɛ_(i)))) ≡ 1(modφ(p − 1)).

In fact,

$\begin{matrix}\begin{matrix}{\rho_{i}^{\varphi{(q_{i}^{ɛ_{\prime}})}} = \left( {\sigma_{i} + {\mu_{i} \cdot q_{i}^{ɛ_{\iota}}}} \right)^{\varphi{(q_{i}^{ɛ_{\iota}})}}} \\{\equiv {1 + {\chi_{i} \cdot {q_{i}^{ɛ_{\iota}}\left( {{mod}\mspace{14mu} q_{i}^{ɛ_{\iota}}} \right)}}}}\end{matrix} & (22)\end{matrix}$and also, for all positive integers n,

$\begin{matrix}\begin{matrix}{\rho_{i}^{n} = \left( {1 + {\lambda_{i} \cdot {{\varphi\left( {p - 1} \right)}/q_{i}^{ɛ_{\iota}}}}} \right)^{n}} \\{= {1 + {\psi_{i} \cdot {{\varphi\left( {p - 1} \right)}/q_{i}^{ɛ_{\iota}}}}}}\end{matrix} & (23)\end{matrix}$for some χ_(i) and ψ_(i) integers. Combining (22) and (23), (21)follows. Refer to Section I of the Appendix.

IV. THE RELATIONSHIP BETWEEN υ_(i) AND w_(i) MODULO φ(q_(i) ^(ε) ^(i) )WHEN ε₀=1

Using orthogonal primitives (17), consider raising (15) to

$\frac{\varphi\left( {p - 1} \right)}{q_{i}^{ɛ_{\iota}}}$modulo p−1.It will be

$\begin{matrix}{\left( a^{\frac{\varphi{({p - 1})}}{q_{i}^{ɛ_{\iota}}}} \right)^{\sigma_{i}^{\upsilon_{i}}} \equiv {\left( d^{\frac{\varphi{({p - 1})}}{q_{i}^{ɛ_{\iota}}}} \right)^{- \sigma_{i}^{w_{i}}}{\left( {{mod}\left( {p - 1} \right)} \right).}}} & (24)\end{matrix}$Let

$\begin{matrix}\left\{ {\begin{matrix}{\alpha_{i} \equiv {a^{\frac{\varphi{({p - 1})}}{q_{i}^{ɛ_{i}}}}\left( {{mod}\mspace{11mu}\left( {p - 1} \right)} \right)}} \\{\delta_{i} \equiv {d^{\frac{\varphi{({p - 1})}}{q_{i}^{ɛ_{i}}}}\left( {{mod}\mspace{11mu}\left( {p - 1} \right)} \right)}}\end{matrix}.} \right. & (25)\end{matrix}$Then

$\begin{matrix}{\alpha_{i}^{\sigma_{i}^{\upsilon_{i}}} \equiv {{\delta_{i}^{- \sigma_{i}^{w_{i}}}\left( {{mod}\left( {p - 1} \right)} \right)}.}} & (26)\end{matrix}$

This congruence establishes a relationship between υ_(i) and w_(i) whichdoes not depend on any of the values of υ_(i) and w_(j), for i≠j.However, this relationship does not identify the value of v which isconsistent with (6).

NOTE 1: a and d are primitives modulo p−1. Therefore, they arerelatively prime with φ(p−1). When a or d are raised to a divisor ofφ(p−1), such as φ(p−1)/q_(i) ^(ε) ^(i) , they produce primitives moduloφ(p−1) for the sets

{σ_(i)^(v_(i))}  and  {σ_(i)^(w_(i))},respectively.

V. INVERTIBLE SUPERPRIMITIVE 1) Definition

A superprimitive of p is defined as invertible if its inverse modulo pis also a superprimitive of p. In general, only some of thesuperprimitives are invertible. Table III shows the invertiblesuperprimitives of the set of primes which are included in Tables I andII.

TABLE III Number of Invertible Number of Invertible p Superprimitives ofp Superprimitives Superprimitives Superprimitives Ratio 11 7 1 0 0 23 7,17, 19 17, 19 3 2 0.666667 47 5, 11, 15, 19, 33, 43 5, 19 6 2 0.33333359 11, 31, 37, 39, 43, 47, 55 11, 43 7 2 0.285714 107 5, 21, 31, 45, 51,55, 65, 67, 71, 73, 103 21, 51 11 2 0.181818 167 5, 13, 15, 35, 39, 43,45, 53, 55, 67, 71, 73, 79, 5, 35, 43, 67, 101, 105, 28 10 0.357143 91,101, 103, 105, 117, 125, 129, 135, 139, 143, 125, 129, 145, 163 145,149, 155, 159, 163 263 29, 57, 67, 85, 87, 97, 115, 119, 127, 130, 139,29, 97, 115, 127, 141, 26 12 0.461538 141, 161, 171, 185, 197, 213, 219,227, 229, 197, 219, 241, 247, 237, 241, 247, 251, 255, 257, 259 251,257, 259 347 5, 7, 17, 19, 45, 63, 65, 69, 79, 91, 97, 101, 103, 17, 69,79, 103, 39 8 0.205128 111, 123, 125, 141, 145, 153, 155, 165, 171, 123,171, 245, 283 175, 191, 193, 203, 215, 217, 221, 223, 231, 239, 245,247, 283, 301, 307, 335, 343, 359 7, 21, 35, 53, 63, 71, 97, 103, 105,109, 113, 157, 197, 209, 213, 48 16 0.333333 119, 137, 143, 157, 159,163, 167, 175, 189, 223, 257, 269, 271, 197, 209, 211, 213, 223, 251,257, 263, 265, 277, 293, 299, 339, 269, 271, 277, 291, 293, 299, 309,311, 313, 341, 343, 353, 355 315, 319, 327, 329, 339, 341, 343, 149,353, 355 383 33, 35, 47, 53, 61, 83, 89, 91, 95, 99, 105, 111, 359, 36740 2 0.05 123, 127, 131, 141, 145, 151, 157, 167, 179, 181, 183, 187,233, 247, 249, 253, 267, 285, 297, 307, 315, 337, 355, 359, 365, 367,369, 379 479 13, 19, 37, 39, 41, 43, 47, 53, 57, 59, 65, 79, 95, 19, 47,53, 177, 235, 58 12 0.206897 117, 119, 123, 129, 143, 149, 159, 171,177, 265, 325, 353, 433, 179, 185, 191, 205, 209, 223, 227, 235, 237,449, 451, 463 265, 281, 285, 295, 317, 325, 333, 351, 353, 357, 369,379, 387, 391, 395, 423, 429, 433, 447, 449, 451, 461, 463, 467, 469,473, 475 503 19, 29, 37, 53, 55, 57, 71, 87, 107, 109, 111, 19, 53, 133,193, 213, 58 14 0.241379 127, 133, 137, 139, 159, 163, 165, 167, 191,295, 305, 307, 409, 193, 203, 213, 215, 239, 269, 277, 295, 305, 417,467, 475, 485, 307, 313, 321, 327, 333, 341, 347, 349, 371, 489 381,385, 399, 409, 417, 419, 437, 453, 457, 461, 467, 471, 475, 479, 481,485, 487, 489, 495, 499 587 5, 11, 13, 19, 23, 41, 45, 85, 99, 103, 105,111, 11, 85, 111, 117, 215, 69 16 0.231884 117, 125, 127, 131, 139, 157,171, 173, 183, 221, 241, 275, 291, 187, 207, 213, 215, 221, 227, 231,241, 245, 321, 341, 415, 427, 251, 259, 265, 263, 273, 275, 291, 295,321, 435, 475, 523 323, 325, 327, 335, 337, 341, 365, 367, 369, 373,391, 399, 403, 405, 415, 427, 435, 467, 473, 475, 483, 487, 497, 523,539, 541, 557, 559, 583

Consider the case when a denotes an invertible superprimitive, and let gdenote its inverse modulo p. Then, for some integers υ and w, theconditions (10) and (12) take the following forms:

$\begin{matrix}{a^{a^{\upsilon}} \equiv {a^{- 1}\left( {{mod}p} \right)}} & (27)\end{matrix}$and

$\begin{matrix}{g^{- 1} \equiv {{g^{g^{w}}\left( {{mod}p} \right)}.}} & (28)\end{matrix}$Therefore,

$\begin{matrix}{a^{a^{v} + 1} \equiv {1\left( {{mod}p} \right)}} & (29)\end{matrix}$whencea ^(υ)≡−1(mod(p−1))  (30)ora ^(2·υ)≡1(mod(p−1)).  (31)Similarly,g ^(2·w)≡1(mod(p−1)).  (32)Then2·υ≡0(mod φ(p−1))  (33)and2·w≡0(mod φ(p−1)).  (34)Thus,

$\begin{matrix}{\upsilon \equiv {{w\left( {{mod}\mspace{11mu}\frac{\varphi\left( {p - 1} \right)}{2}} \right)}.}} & (35)\end{matrix}$

VI. THE DETERMINATION OF υ AND w WHEN ε₀=1 1) The Selection of a and d

Section II.1 describes how to select a superprimitive a. The algorithmproposed herein will require that a be an invertible superprimitive ofp. This can be accomplished by raising a₀ to an increasing integerp^(l)>p^({tilde over (l)}), until the desired condition is satisfied.(Step One).

After the definition of a, it will be necessary to transform (6) in sucha way that the RHS be an invertible superprimitive of p, namely d. (StepTwo and Three).

Thus, the proposed algorithm will operate on two invertiblesuperprimitives of p, namely

1) a (invertible superprimitive)

2) d (invertible superprimitive)

2) The Problem

Given the pair (a, d), to determine υ there are two conditions whichmust be satisfied.

A) The first condition is equation (14), which is defined modulo p−1.

B) A second condition on the pair (υ, w) is placed by the congruences(10) and (12), which are defined modulo p.

Consider the problem of solving the system of (10) and (12)

$\begin{matrix}\left\{ \begin{matrix}{a^{a^{\upsilon}} = {d\left( {{mod}\mspace{11mu} p} \right)}} \\{a = {d^{d^{w}}\left( {{mod}\mspace{11mu} p} \right)}}\end{matrix} \right. & (36)\end{matrix}$under the condition (14).

Define

$\begin{matrix}\left\{ {\begin{matrix}{{a^{U} \cdot d} \equiv {1\left( {{{mod}\mspace{11mu} p} - 1} \right)}} \\{{a \cdot d^{W}} \equiv {1\left( {{{mod}\mspace{11mu} p} - 1} \right)}}\end{matrix}.} \right. & (37)\end{matrix}$Refer to Appendix II.

Substitute the second of (37) into (14). It will be

$\begin{matrix}{{{d^{{- W} \cdot \upsilon} \cdot d^{w}} \equiv {1\left( {{{mod}p} - 1} \right)}},} & (38)\end{matrix}$orw=W·υ modulo φ(p−1).

Then the second of (37) becomes

$\begin{matrix}\begin{matrix}{a = {d^{d^{W \cdot \upsilon}}\left( {{mod}\mspace{11mu} p} \right)}} \\{= {{d^{{- a} \cdot v}\left( {{mod}\mspace{11mu} p} \right)}.}}\end{matrix} & (40)\end{matrix}$

Thus, the system (36) becomes

$\begin{matrix}\left\{ {\begin{matrix}{a^{a^{\upsilon}} \equiv {d\left( {{mod}\mspace{11mu} p} \right)}} \\{a \equiv {d^{a^{- \upsilon}}\left( {{mod}\mspace{11mu} p} \right)}}\end{matrix}.} \right. & (41)\end{matrix}$

The original problem requires finding the solution of the first of (41).

3) The Solution

1) a and d are two physical numbers and are independent on any modulartransactions of which they may become a part. Specifically, if we sayd=317, we mean that d denotes the number 317, not 317 modulo anything.

2) If υ were known, the transition from a to d could be executed byraising a to a^(υ) modulo p.

3) Also, the transition from a to d can be executed by computing thediscrete logarithm of d module p−1 in base a. To this end, definea ^(U(a,d)) ≡d(mod p−1).  (42)

Refer to Section II of the Appendix.

4) The two bridges from a to d are defined modulo p−1 and produce thesame transition.

They can be compared operating modulo p−1.

5) A different approach consists of considering the following integers:

$\begin{matrix}\left\{ {\begin{matrix}{A_{i} = a^{\frac{\varphi{({p - 1})}}{q_{i}^{ɛ_{i}}}}} \\{D_{i} = d^{\frac{\varphi{({p - 1})}}{q_{i}^{ɛ_{i}}}}}\end{matrix}.} \right. & (43)\end{matrix}$

These integers can be very large. In principle, their definition isindependent of any modular transaction of which they may become a part.It is possible to substitute the pair (A_(i), D_(i)) into (41). It willbe

$\begin{matrix}{A_{i}^{\alpha_{i}^{\sigma_{i}^{\upsilon_{i}}}} \equiv {{D_{i}\left( {{mod}\mspace{14mu} p} \right)}.}} & (44)\end{matrix}$

The solution {tilde over (υ)}_(i) of this congruence is unique.

NOTE 1: After the solution {tilde over (υ)}₁ of (44) has been produced,the process must be repeated for all j≠i. Then υ can be computed using(19). The integer x follows, using (11) (9), (8) and (7).

VII. THE CASE WHEN ε₀=2

Refer to (16) and (19). If ε₀=2, the set of generators {p_(i)|1≤i≤h}must be expanded to include the generator ρ_(0, 0) of a subgroup of Vconsisting of two elements. In this case (19) must be replaced by thefollowing

$\begin{matrix}\left\{ {\begin{matrix}{\upsilon \equiv {\rho_{0,0} \cdot {\prod\limits_{i = 1}^{h}{\rho_{i}^{\upsilon_{i}}\left( {{mod}\mspace{11mu}{\varphi\left( {p - 1} \right)}} \right)}}}} \\{w \equiv {\rho_{0,0} \cdot {\prod\limits_{i = 1}^{h}{\rho_{i}^{w_{i}}\left( {{mod}\mspace{11mu}{\varphi\left( {p - 1} \right)}} \right)}}}}\end{matrix}.} \right. & (45)\end{matrix}$Let σ_(0, 0) denote the primitive of a cycle of two elements modulo2^(ε) ⁰ . It will beσ_(0,0)≡3(mod 2²).  (46)Then, by (17),

$\begin{matrix}\begin{matrix}{\rho_{0,0} = {1 + {\lambda_{0,0} \cdot \frac{\varphi\left( {p - 1} \right)}{4}}}} \\{= {{- 1} + {\mu_{0,0} \cdot 4.}}}\end{matrix} & (47)\end{matrix}$Let

$\begin{matrix}{{\mu_{0,0} \cdot 4} = {2 + {\lambda_{0,0} \cdot {\frac{\varphi\left( {p - 1} \right)}{4}.}}}} & (48)\end{matrix}$

Given a solution pair ({tilde over (λ)}_(0, 0), {tilde over (μ)}_(0, 0))of (48), after substitution into (47),

ρ_(0, 0) modulo φ(p−1) follows.

It will be:

$\begin{matrix}\left\{ {\begin{matrix}{{g\; c\;{d\left( {\rho_{0,0},{p - 1}} \right)}} = 1} \\{{g\; c\;{d\left( {\rho_{0,0},{\varphi\left( {p - 1} \right)}} \right)}} = 1}\end{matrix}.} \right. & (49)\end{matrix}$

To determine the pair (υ_(0,0), w_(0,0)), define

$\begin{matrix}\left\{ \begin{matrix}{\alpha_{0,0} \equiv {a^{\frac{\varphi{({p - 1})}}{4}}\left( {{{mod}\mspace{11mu} p} - 1} \right)}} \\{A_{0,0} \equiv {{a^{\frac{\varphi{({p - 1})}}{4}}\left( {{mod}\mspace{11mu} p} \right)}.}}\end{matrix} \right. & (50)\end{matrix}$and

$\begin{matrix}{D_{0,0} \equiv {{d^{\frac{\varphi{({p - 1})}}{4}}\left( {{mod}\mspace{14mu} p} \right)}.}} & (51)\end{matrix}$

Then υ_(0, 0) is a solution of the following:

$\begin{matrix}{{A_{0,0}^{\alpha_{0,0}^{\sigma_{0,0}^{\upsilon_{0,0}}}} \equiv {D_{0,0}\left( {{mod}\mspace{11mu} p} \right)}},} & (52)\end{matrix}$where υ_(0, 0) is either 0 or 1.

VIII. THE CASE WHEN ε₀>2 1) The Problem

If ε₀>2, X is not a cyclic group and there does not exist an integerσ_(0, 0) which generates a subgroup of V containing 2^(ε) ⁰ ⁻¹ elementsmodulo 2^(ε) ⁰ [1, p. 206]. However, there exist integers σ₀ such that

$\begin{matrix}\left\{ {\begin{matrix}{\sigma_{0}^{2^{ɛ_{0} - 3}} ≢ {1\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right)}} \\{\sigma_{0}^{2^{ɛ_{0} - 2}} \equiv {1\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right)}}\end{matrix}.} \right. & (53)\end{matrix}$As an example, if ε₀=5, for any integer of the form ε₀=4·ODD+1 it is

$\begin{matrix}\left\{ {\begin{matrix}{\sigma_{0}^{4} ≢ {1\left( {{mod}\mspace{14mu} 2^{5}} \right)}} \\{\sigma_{0}^{8} \equiv {1\left( {{mod}\mspace{14mu} 2^{5}} \right)}}\end{matrix}.} \right. & (54)\end{matrix}$Refer to Section III of the Appendix.

As a result, if ε₀>2, in order to produce 2^(ε) ⁰ ⁻¹ elements modulo2^(ε) ⁰ , it is necessary to employ the direct product of two subgroupsof V, one containing 2^(ε) ⁰ ⁻² elements and one containing 2 elements.Let σ_(0,0) and σ₀ denote the generators of the two subgroups having 2and 2^(ε) ⁰ ⁻² elements, respectively. Of course, ε_(0,0) should be aninteger which cannot be produced by computing σ₀ ^(υ) ⁰ (mod 2^(ε) ⁰⁻²), for any integer υ₀. This can be accomplished by defining

$\begin{matrix}\left\{ {\begin{matrix}{\sigma_{0} = {{{4 \cdot O}\; D\; D} + 1}} \\{\sigma_{0,0} = {{- 1} + 2^{ɛ_{0} - 1}}}\end{matrix}.} \right. & (55)\end{matrix}$

With this selection of σ₀ and σ_(0,0) the product σ_(0,0) ^(υ) ^(0,0)·σ₀ ^(υ) ⁰ (mod 2^(ε) ⁰ ) generates all the odd integers from 1 to 2^(ε)⁰ −1.

The integer ρ₀ can be determined by letting

$\begin{matrix}\begin{matrix}{\rho_{0} = {1 + {\lambda_{0} \cdot \frac{\varphi\left( {p - 1} \right)}{2^{ɛ_{0}}}}}} \\{= {\sigma_{0} + {\mu_{0} \cdot {2^{ɛ_{0} - 2}.}}}}\end{matrix} & (56)\end{matrix}$Since gcd

${\left( {2^{ɛ_{0} - 2},\frac{\varphi\left( {p - 1} \right)}{2^{ɛ_{0}}}} \right) = 1},$the integers λ₀ and μ₀ exist, and so does ρ₀.

Likewise, p_(0,0) can be defined by letting

$\begin{matrix}\begin{matrix}{\rho_{0,0} = {1 + {\lambda_{0,0} \cdot \frac{\varphi\left( {p - 1} \right)}{2^{ɛ_{0}}}}}} \\{= {{- 1} + {\mu_{0,0} \cdot {2^{ɛ_{0} - 2}.}}}}\end{matrix} & (57)\end{matrix}$

Then the general expression (17) of the integers υ and w must berestated as follows:

$\begin{matrix}\left\{ {\begin{matrix}{\upsilon \equiv {\rho_{0,0}^{\upsilon_{0,0}} \cdot \rho_{0}^{\upsilon_{0}} \cdot {\prod\limits_{i = 1}^{h}{\rho_{i}^{\upsilon_{i}}\left( {{mod}\mspace{14mu}{\varphi\left( {p - 1} \right)}} \right)}}}} \\{w \equiv {\rho_{0,0}^{w_{0,0}} \cdot \rho_{0}^{w_{0}} \cdot {\prod\limits_{i = 1}^{h}{\rho_{i}^{w_{i}}\left( {{mod}\mspace{14mu}{\varphi\left( {p - 1} \right)}} \right)}}}}\end{matrix}.} \right. & (58)\end{matrix}$

For 1≤i≤h it is still possible to produce primitives ρ_(i) which areorthogonal to each other and to ρ₀. However, it is not possible toidentify two values of ρ_(0,0) and ρ₀ which are orthogonal to eachother. In other words, there does not exist a primitive of X modulo ρ−1which enables the restatement described in Section II. Therefore, afterthe determination of all p_(i), for 1≤i≤h, it is necessary to exploreall the possibilities produced by ρ_(0,0) and ρ₀. Since the order ofρ_(0,0) is 2, two sets of circumstances must be considered.

In general, the elements of X can be grouped into two sets, namely X₀and X₁, which correspond to the cases when υ_(0, 0)=0 and υ_(0, 0)=1,respectively.

2) The Case when υ_(0, 0)=0

If υ_(0,0)=0, the number of elements in V is

$\begin{matrix}\left\{ {\begin{matrix}{\upsilon_{0,0} = 0} \\{{V} = {2^{ɛ_{0} - 2} \cdot {\prod\limits_{i = 1}^{h}{\varphi\left( q_{i}^{ɛ_{i}} \right)}}}}\end{matrix}.} \right. & (59)\end{matrix}$Compare with (16).In this case X₀ is a cyclic group and there exist integers p which areprimitive roots of X₀ modulo p−1. Let Y₀ denote the set of primitiveroots of X₀ modulo p−1. If p∈Y₀, let A₀ denote the set of primitiveroots of p which are produced by letting

$\begin{matrix}{a_{0}^{\rho^{i}} \equiv {{a\left( {{mod}p} \right)}.}} & (60)\end{matrix}$

For some integers Ĩ, a will also be an element of Y₀. In these cases

$\begin{matrix}{{ɛ_{0} > 2}{{X} = {A}}{{X} = {{X_{0}\bigcup X_{1}}}}{{X_{0}} = {X_{1}}}{{A} = {{A_{0}\bigcup A_{1}}}}{{A_{0}} = {A_{1}}}{{X_{0}} = {A_{0}}}{\frac{X_{0}}{A} = {1/2.}}} & (61)\end{matrix}$

Let σ₀ denote a primitive root of X₀ modulo 2^(ε) ⁰ ⁻². Assume thatσ₀=4·ODD+1.

In this case, define

$\begin{matrix}\left\{ \begin{matrix}{\alpha_{0} \equiv {a^{\frac{\varphi{({p - 1})}}{2^{ɛ_{0} - 1}}}\left( {{{mod}\mspace{14mu} p} - 1} \right)}} \\{A_{0} \equiv {a^{\frac{\varphi{({p - 1})}}{2^{ɛ_{0} - 1}}}\left( {{{mod}\mspace{14mu} p} - 1} \right)}}\end{matrix} \right. & (62)\end{matrix}$and

$\begin{matrix}{D_{0} \equiv {{d^{\;^{\frac{\varphi{({p - 1})}}{2^{ɛ_{0} - 1}}}}\left( {{{mod}\mspace{14mu} p} - 1} \right)}.}} & (63)\end{matrix}$Then

$\begin{matrix}{A_{0}^{\alpha_{0}^{\sigma_{0}^{\upsilon_{0}}}} \equiv {{D_{0}\left( {{mod}\mspace{14mu} p} \right)}.}} & (64)\end{matrix}$

3) An Example

As an example, if ε₀=6 and 2^(ε) ⁰ =64, let σ₀=5 and σ_(0, 0)=31. Theelements of X are 2^(ε) ⁰ ⁻¹=32. When υ_(0, 0)=0, the elements of X₀ are2^(ε) ⁰ ⁻²=16. When υ_(0, 0)=1, the elements of X₁ are 16. Thus, whenthe elements of X are reduced modulo 64, it will be

$\begin{matrix}\begin{matrix}{X_{0} = \left\{ {1,5,25,61,49,53,9,45,33,37,57,29,17,21,41,13} \right\}} \\{X_{1} = \left\{ {31,27,7,35,47,43,23,51,63,59,39,3,15,11,55,19} \right\}} \\{= {\left\{ {{31 \cdot {each}}\mspace{14mu}{one}\mspace{14mu}{of}\mspace{14mu}{the}\mspace{14mu}{elements}\mspace{14mu}{of}\mspace{14mu} X_{0}} \right\}.}}\end{matrix} & (65)\end{matrix}$

Since X₀ is a cyclic group, let Y₀ denote the set of primitive roots ofX₀ modulo 2^(ε) ⁰ . In the example,Y ₀={5,61,53,45,37,29,21,13}.  (66)

Also, define Y₁ as the set of elements produced when all the elements ofY₀ are multiplied by σ_(0, 0). In the example, it will be

$\begin{matrix}\begin{matrix}{Y_{1} = \left\{ {27,35,43,51,59,3,11,19} \right\}} \\{= {\left\{ {{31 \cdot {each}}\mspace{14mu}{one}\mspace{14mu}{of}\mspace{14mu}{the}\mspace{14mu}{elements}\mspace{14mu} Y_{0}} \right\}.}}\end{matrix} & (67)\end{matrix}$NOTE 1: In the example, 31 and 63 are the only elements of X₁ for which31² ≡1(mod 64) and 63²≡1(mod 64).NOTE 2: In the example, any element of Y₀, when raised to 31 modulo 64,produces another elements of Y₀. In fact, gcd (31, 32)=1 and gcd (31,64)=1. Thus,

$\begin{matrix}\left\{ {\begin{matrix}{5^{31} \equiv {13\left( {{mod}\mspace{11mu} 64} \right)}} \\{61^{31} \equiv {21\left( {{mod}\mspace{11mu} 64} \right)}} \\\ldots \\{45^{31} \equiv {37\left( {{mod}\mspace{11mu} 64} \right)}}\end{matrix}.} \right. & (68)\end{matrix}$

4) The Algorithm when υ_(0, 0)=0

The solution υ₀ can be determined using the procedure defined by (64).

After the determination of υ₀, the algorithm should proceed to thedetermination of the candidate values of υ_(i), for 1≤i≤h.

If the resulting value of υ is not consistent with (6), the assumptionυ_(0, 0)=0 must be discarded and the case υ_(0, 0)=1 must be considered.

5) The Case when υ_(0,0)=1

Consider first the case when a∈A₀. Then

a^(a^(υ)) ≡ d(modp)and d∈A₀.

Define A₁ as the set of primitives modulo p which are not elements ofA₀. One example is

$\begin{matrix}{{\overset{\_}{a} \equiv {a^{\rho_{0,0}}\left( {{mod}p} \right)}},} & (69)\end{matrix}$which implies that

$\begin{matrix}{a \equiv {{{\overset{\_}{a}}^{\rho_{0,0}}\left( {{mod}p} \right)}.}} & (70)\end{matrix}$Notice that ā is a primitive modulo p because gcd (ρ_(0, 0), p−1)=1.

Given ā, all the elements of A₁ can be produced by raising ā to theelements of X₀. Notice that, after the introduction of ā∈A₁, operatingin A₁ follows the same procedures which were used operating in A₀ usinga∈A₀. Thus the definition of ā given a can be used to produce all of theelements of A_(i) by raising ā to any element of X₀. In particular,consider the case when ā is raised to ā modulo p. Since a is an elementof X₀ and Y₀, ā is an element of Y₀∩A₁.

$\begin{matrix}{{ɛ_{0} > 2}{a \in A_{0}}{a \in X_{0}}{a \in Y_{0}}{\overset{\_}{a} \in A_{1}}{\overset{\_}{a} \in Y_{0}}{\overset{\_}{a} \in {Y_{0}\bigcap A_{1}}}} & (71)\end{matrix}$Refer to NOTE 2 in Section 4 above.

The same observation can be made about d. Therefore, for some integers υand w, it is

$\begin{matrix}\left\{ {\begin{matrix}{{\overset{\_}{a}}^{{\overset{\_}{a}}^{\upsilon}} \equiv {\overset{\_}{d}\left( {{mod}\mspace{11mu} p} \right)}} \\{\overset{\_}{a} \equiv {{\overset{\_}{d}}^{{\overset{\_}{d}}^{w}}\left( {{mod}\mspace{11mu} p} \right)}}\end{matrix},} \right. & (72)\end{matrix}$whence

$\begin{matrix}{a^{\rho_{0,0} \cdot \upsilon} \equiv {{d^{{- \rho_{0,0}} \cdot w}\left( {{{mod}\; p} - 1} \right)}.}} & (73)\end{matrix}$

Raising a and d to φ(p−1)/2^(ε) ⁰ modulo p−1 produces

$\begin{matrix}{\alpha_{0}^{\rho_{0,0} \cdot \sigma_{0}^{\upsilon_{0}}} \equiv {{\delta_{0}^{{- \rho_{0,0}} \cdot \sigma_{0}^{w_{0}}}\left( {{{mod}\; p} - 1} \right)}.}} & (74)\end{matrix}$Compare with (26).

The procedures which were used to produce υ₀ and v, can be repeated.

IX. CONCLUSION

The procedures described in Sections III through VII above were designedto determine v given p and the pair (a, d). The integer υ is related tox through (11), (9), (8) and (7) that is through ū, t, s, and r.

To determine the execution time of the proposed algorithm, note thateach one of such operations as multiplication, exponentiation,calculation of inverses and solution of linear congruences has anexecution time not exceeding log² m, where m is the modulus of theoperation. Also, the number of operations to be executed modulo p ormodulo p′ is of the order of log log p. Therefore, the total executiontime is of an order which does not exceed log log p·log² p.

APPENDIX Notes on Orthogonal Primitives I. An Example

Leta ^(x) ≡b(mod 71),  (A.1)where a and b are primitive roots modulo 71.Then x is an element of the set X, containing all the integers which arerelatively prime to p−1=70=2·5·7.

The order of X is φ(70)=φ(5)·φ(7)=24. The exponent of X is e(X)=1 cm (4,6)=12. Then X can be described as the direct product of a cyclicsubgroup of order 2 and a cyclic subgroup of order 12 as follows:X=C ₁(2)×C ₂(12).  (A.2)

Also, the elements of X can be represented by using orthogonalprimitives. In this case, given a selection of σ₁(mod 7) and σ₂(mod 5),ρ₁(mod 70) and ρ₂(mod 70) can be computed by letting

$\begin{matrix}\begin{matrix}{\rho_{1} = {I + {\lambda_{1} \cdot \frac{p - 1}{7}}}} \\{= {\sigma_{1} + {\mu_{1} \cdot 7}}}\end{matrix} & \left( {A{.3}} \right)\end{matrix}$and

$\begin{matrix}\begin{matrix}{\rho_{2} = {1 + {\lambda_{2} \cdot \frac{p - 1}{5}}}} \\{= {\sigma_{2} + {\mu_{2} \cdot 5.}}}\end{matrix} & \left( {A{.4}} \right)\end{matrix}$

For σ₁≡5(mod 7) and σ₂≡3(mod 5), it will be ρ₁≡61(mod 70) and ρ₂≡43(mod70). Thenx≡61^(x) ¹ ·43^(x) ² (mod 70).  (A.5)

FIG. 2 shows the elements of X as intersections of vertical andhorizontal straight lines through 61^(x) ¹ (mod 70) and 43^(x) ² (mod70), respectively.

It is apparent that the elements on a vertical line (constant x₁) arecongruent to one another modulo 14=2·7. Likewise, the elements on ahorizontal line are congruent to one another modulo 2·5=10.

Also, each elements of X is a product of its horizontal and verticalcomponents. Thus, 67≡11·57(mod 70).

Different selections of the primitives σ₁ and σ₂ would cause appropriatepermutations of the vertical and horizontal lines, respectively.

Observe that, by (A.3) and (A.4),

$\begin{matrix}\left\{ {\begin{matrix}{{\frac{70}{7} \cdot \rho_{1}} \equiv {\frac{70}{7} \cdot \sigma_{1} \cdot ({mod70})}} \\{{\frac{70}{7} \cdot \rho_{2}} \equiv {\frac{70}{7}({mod70})}}\end{matrix}.} \right. & \left( {A{.6}} \right)\end{matrix}$

Therefore, raising (A.1) to 10 (modulo 71) yields

$\begin{matrix}{\left( a^{10} \right)^{5^{x_{1}}} \equiv {{b^{10}\left( {{mod}\mspace{14mu} 71} \right)}.}} & \left( {A{.7}} \right)\end{matrix}$

Likewise, raising (A.1) to 14 (modulo 71) yields

$\begin{matrix}{\left( a^{14} \right)^{3^{x_{2}}} \equiv {{b^{14}\left( {{mod}\mspace{14mu} 71} \right)}.}} & \left( {A{.8}} \right)\end{matrix}$Therefore, in the example, x₂ and x₁ can be determined independently ofeach other.

II. Discrete Logarithms Modulo p−1

The congruence (14) defines the relationship between a^(υ) and d^(w)which is repeated here:a ^(υ) ·d ^(w)≡1(mod p−1).  (75)

It is convenient to develop a simple relationship between the integers aand d which does not refer to the variations of the pair (υ, w).Specifically, when υ=1 or w=1, such a relationship can be stated as

$\begin{matrix}\left\{ \begin{matrix}{v = 1} \\{{a \cdot d^{W}} \equiv {1\left( {{mod}\left( {p - 1} \right)} \right)}}\end{matrix} \right. & (76)\end{matrix}$or

$\begin{matrix}\left\{ {\begin{matrix}{w = 1} \\{{a^{U} \cdot d} \equiv {1\left( {{mod}\left( {p - 1} \right)} \right)}}\end{matrix}.} \right. & (77)\end{matrix}$Notice thatU·W≡1(mod ω(p−1)).  (78)

To develop U and W, it is convenient to represent υ and w using (19) andto partition the problem as in (26), which is repeated here:

$\begin{matrix}{\alpha_{i}^{\sigma_{i}^{v_{i}}} \equiv {{\delta_{i}^{- \sigma_{i}^{w_{i}}}\left( {{modp} - 1} \right)}.}} & (79)\end{matrix}$Let w_(i, m) denote the value of w_(i) when υ_(i)=0(mod φ(q_(i) ^(ε)^(i) )). Then

$\begin{matrix}{\alpha_{i} \equiv {{\delta_{i}^{- \sigma_{i}^{w_{i,m}}}\left( {{{mod}\mspace{14mu} p} - 1} \right)}.}} & \left( {A{.9}} \right)\end{matrix}$Likewise, let υ_(i, m) denote the value of υ_(i) when w_(i) ≡0(modφ(q_(i) ^(ε) ^(i) )). Then

$\begin{matrix}{\alpha_{i}^{{\sigma_{i}}^{v_{i,m}}} \equiv {{\delta_{i}^{- 1}\left( {{{mod}\mspace{14mu} p} - 1} \right)}.}} & \left( {A{.10}} \right)\end{matrix}$Consider the case when all the υ_(j)'s are congruent to zero moduloφ(q_(i) ^(ε) ^(i) ). In this case, from (19),

$\begin{matrix}{a \equiv {{d^{- {\prod\limits_{j = 1}^{h}\rho_{j}^{w_{j,m}}}}\left( {{{mod}\mspace{14mu} p} - 1} \right)}.}} & \left( {A{.11}} \right)\end{matrix}$Let

$\begin{matrix}{W = {\prod\limits_{j = I}^{h}\;{\rho_{j}^{w_{j,m}}.}}} & \left( {A{.12}} \right)\end{matrix}$Thena≡d ^(−W)(mod p−1).  (A.13)

Likewise, consider the case when all the w_(j)'s are congruent to zeromodulo φ(q_(j) ^(ε) ^(j) ). In this case

$\begin{matrix}{a^{\prod\limits_{j = 1}^{h}\rho_{j}^{v_{j,m}}} \equiv {{d^{- 1}\left( {{{mod}\mspace{11mu} p} - 1} \right)}.}} & \left( {A{.14}} \right)\end{matrix}$Let

$\begin{matrix}{U = {\prod\limits_{j = 1}^{h}{\rho_{j}^{v_{j,m}}.}}} & \left( {A{.15}} \right)\end{matrix}$Thena ^(U) ≡d ⁻¹(mod p−1).  (A.16)

III. THE ORDER OF ε₀=4·ODD+1 MODULO 2^(ε) ⁰

When σ₀=4·ODD+1, the order of σ₀ modulo 2^(ε) ⁰ equals 2^(ε) ⁰ ⁻²:

$\begin{matrix}{\sigma_{0}^{2^{ɛ_{0} - 2}} \equiv {1{\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right).}}} & \left( {A{.17}} \right)\end{matrix}$

Consider the case when σ₀=4·ODD+1. Then

$\begin{matrix}\left\{ {\begin{matrix}\sigma_{0} & \equiv & {{4 \cdot \left( {{2 \cdot k} + 1} \right)} + {1\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right)}} \\\; & \equiv & {1 + 2^{2} + {8 \cdot {k\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right)}}} \\\sigma_{0}^{2} & \equiv & {1 + 2^{3} + {16 \cdot {k_{1}\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right)}}} \\\sigma_{0}^{4} & \equiv & {1 + 2^{4} + {32 \cdot {k_{2}\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right)}}} \\\; & \ldots & \; \\\sigma_{0}^{2^{ɛ_{0} - 3}} & \equiv & {1 + {2^{ɛ_{0} - 1}\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right)}} \\\sigma_{0}^{2^{ɛ_{0} - 2}} & \equiv & {1\left( {{mod}\mspace{14mu} 2^{ɛ_{0}}} \right)}\end{matrix}.} \right. & \left( {A{.18}} \right)\end{matrix}$(k, k₁, k₂ integers).

Notice that the integer σ_(0,0) ≡−1+2^(ε) ⁰ ⁻¹ cannot be produced as apower of σ₀.

III. ATTACHMENT

There exist several variations of encryption systems based on thedifficulty of computing discrete logarithms modulo a prime. In the coresystem the participants share the knowledge of a prime p and one of itsprimitives, usually denoted as a. All the participants publish their ownaddress c_(P), which they compute as c_(P)=a^(m) ^(p) , where m_(p) is arandom integer which is known to the addressee only.

Any participant who wishes to communicate confidentially with any otherparticipant, say with participant B, transmits to the addressee B a pairof integers denoted as (R, S), where

$\left\{ {\begin{matrix}{R = a^{r}} \\{S = {{message} \cdot c_{B}^{r}}}\end{matrix},} \right.$where r is a random number selected by the sender.The receiver retrieves the message by computing

$\begin{matrix}{\frac{S}{R^{m_{B}}} = {{message} \cdot \frac{a^{r \cdot m_{B}}}{a^{r \cdot m_{B}}}}} \\{= {message}}\end{matrix}.$

The only other persons who can retrieve the message are the persons whoknow m_(B) or can compute m_(B) as the discrete logarithm of c_(B) inbase a.

Although the invention has been described in detail in the foregoingembodiments for the purpose of illustration, it is to be understood thatsuch detail is solely for that purpose and that variations can be madetherein by those skilled in the art without departing from the spiritand scope of the invention except as it may be described by thefollowing claims.

REFERENCES, ALL OF WHICH ARE INCORPORATED BY REFERENCE HEREIN

-   [1] T. M. Apostol, Introduction to Analytic Number Theory, New York,    N.Y.: Springer-Verlag, 1976. [2] G H. Hardy, E. M. Wright, An    Introduction to the Theory of Numbers, Oxford, UK: Clarendon Press,    1979.-   [3] S. C. Pohlig, M. E. Hellman, “An Improved Algorithm for    Computing Logarithms over GF(p) and its Cryptographic Significance”,    IEEE Trans, Inform. Theory, Vol IT-24, pp. 106-110, 1978.

The invention claimed is:
 1. A decoding apparatus comprising: a networkport in communication with a communication network which receives fromthe connection network an electromagnetic signal representative ofencrypted data which were produced with a first computer relying on adifficulty of computing discrete logarithms; a non-transient memory inwhich is stored the electromagnetic signal representative of encrypteddata which were encrypted by the first computer relying on thedifficulty of computing discrete logarithms, the data having a discretelogarithm; a second computer in communication with the memory thatdecodes the encrypted data in the memory in a time of an order of loglog p·log² p by computing the data's discrete logarithm, the secondcomputer reduces the complexity of an exponential congruence which isdefined modulo p, where p=2·p′+1, p′ is also a prime and p′−1 containsonly factors which are smaller than 100,000, and executes a sequence ofreversible transformations supported by the non-transient memory in sucha way that the exponential congruence module p is restated as a probleminvolving new relationships modulo p and a concurrent independentcongruence modulo p−1; and a display on which the decoded encrypted dataare displayed by the second computer.
 2. A method for processing anelectromagnetic signal representative of encrypted data which wereproduced relying on a difficulty of computing discrete logarithms, thedata having a discrete logarithm, with a first computer comprising thesteps of: receiving the encrypted data at a network port of a secondcomputer from a communication network, the second computer incommunication with the communication network; storing the encrypted datain a non-transient memory of the second computer; performing with thesecond computer in communication with the memory the computer-generatedsteps of decoding the encrypted data in the memory in a time of an orderof log log p·log²p by computing the data's discrete logarithms, theperforming step includes the steps of reducing the complexity of anexponential congruence which is defined modulo p, where p=2·p′+1, p′ isalso a prime and p′−1 contains only factors which are smaller than100,000; and executing with the second computer a sequence of reversibletransformations supported by a non-transient memory in such a way thatthe exponential congruence modulo p is restated as a problem involvingnew relationships modulo p and a concurrent independent congruencemodulo p−1; and displaying on a display the decoded data.
 3. A computerprogram stored in a non-transient memory in communication with a secondcomputer for decoding with the second computer an electromagnetic signalrepresentative of encrypted data which is encrypted by a first computerrelying on a difficulty of computing discrete logarithms, the datahaving a discrete logarithm, the computer program having the secondcomputer-generated steps of: receiving the encrypted data by the firstcomputer at a network port of the second computer from a communicationnetwork; storing the encrypted data in the non-transient memory;decoding the encrypted data in the memory with the second computer in atime of an order of log log p·log² p by computing the data's discretelogarithms, the decoding step includes the steps of reducing thecomplexity of an exponential congruence which is defined modulo p, wherep=2·p′+1, p′ is also a prime and p′−1 contains only factors which aresmaller than 100,000; and executing with the second computer a sequenceof reversible transformations supported by the non-transient memory insuch a way that the exponential congruence modulo p is restated as aproblem involving new relationships modulo p and a concurrentindependent congruence modulo p−1; and displaying on a display thedecoded data.